Knowledge Base

Rogue PCDefPlus Malware removal guide

The following article provides information on how to remove the the Rogue PCDefPlus Malware infection from your Dell PC. Please be aware that most of the steps here are not covered under your warranty and are carried out at your own risk.

This article deals with variants of the Rogue PCDefPlus Malware family of rogue anti-spyware programs. It will display false scan results, fake security warnings, and terminate legitimate applications when you attempt to run them.

This scareware is promoted through Trojans that pretend to be programs necessary to watch any online videos. You can also become infected by this software if you've been visiting web sites that have been hacked with exploit kits.

Note: As always the decision to use this information is at the end user’s risk as malware removal is not a pro-support entitlement. This information is provided AS IS.

The surest way to resolve this issue is to either perform a factory restore or a clean Operating system install on your system. Taking you through this reinstall is what is covered under your pro support warranty. You can also find articles taking you through this, that match your particular operating system and situation on the link page below.

The infection will usually show itself as one of a number of products. Such as Titan Antivirus, PC Defender 360, PC Defender Plus or Win 7 Defender or similar wording.

PCDefPlus will launch every time you open an application on your PC. It does a fake scan of the system and reports multiple faults. The program tries to charge you, before it will let you quarantine or remove any fake infections it's reported.

Ignore anything reported by this malware and do not pay for anything.

PCDefPlus will kill any program you try to open and report the program as infected. It modifies the .EXE extension in the Registry so that you'll launch the malware instead of the program you've clicked on. This prevents it from being removed by legitimate security software and helps the illusion that it's found a problem.

the < Application Name > Firewall Alert

An application cmd.exe is infected with Trojan-Downloader.JS.Agent.ftu. Private data can be stolen by third parties, including credit card details and passwords.

You will see various fake alerts that are supposed to scare you into buying the software, thinking that your PC is about to crash. It will reports things like.

Security Alert
Unknown program is scanning your system registry right now! Identity the theft detected.

Security Alert
Vulnerabilities Found
Background scan for security breaches has been finished. Serious problems have been detected. Safeguard your system against exploits, malware and viruses right now by activating Proactive Defence.

Ignore these also.

Please do not purchase this program, It's scareware and it's aim is to extort money and payment details. If you have already paid, please contact your credit card company and cancel the charges. Inform them that the program is a computer infection and is trying to extort money and capture your card details.

Navigate using the cursor/arrow keys on your keyboard and select Safe Mode with Networking onscreen and press the Enter key on your keyboard.

Windows boots into safe mode with networking and prompts you to login as a user. Please login as the user that is infected with the malware.

Before we start any downloads or scans we need to end the processes that belong to the malware. In this case I'm using RKill as it's a program I'm familiar with. You can find another program that does the same job as RKill, but the steps below will be for that program. You can download RKill to your desktop from the following link. (RKill was developed by BleepingComputer as Freeware and can be very useful.)

You may want to download both the RKill and the iexplore.exe download, as some Malware will recognise RKill and try and stop it running. Please save them to your desktop.

Double-click on the RKill or iExplore.exe icon to automatically stop any processes associated with the the Rogue PCDefPlus Malware and other Rogue programs. It may take a while for it to end them. When its finished the black window will close. If you get any error messaging that RKill is an infection, ignore it. If any of these warnings close RKill, then it's best to leave the messaging onscreen and run RKill again. If you don't close the messaging it won't run again. Don't reboot your computer after running RKill as the malware is tied to your system startup.

Note: If you are having problems running RKill, then renaming the RKill icon will usually trick the Malware.

I would suggest downloading Malwarebytes Anti-Malware and saving it to your desktop. As before, this is the program I'm most familiar with - you can use any program you're comfortable with, that will do the same job. Malwarebytes is a Freeware program.

Once downloaded, close all programs and Windows on your computer. Including this browser.

Double-click on the icon on your desktop to start the installation of Malwarebytes onto your PC.

Follow the setup prompts. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware checked. Then click on the Finish button. If MalwareBytes asks you to reboot, please ignore it.

Malwarebytes will now start up and you will get an onscreen message saying that you should update the program before performing a scan. the program will automatically update itself after the install, select the OK button to close that box and you will now be at the main program window.

On the Scanner tab, make sure the the Perform full scan option is selected and click on the Scan button to start scanning your computer.

The program will start scanning your computer for malware. This process can take quite a while.

When the scan is complete, a finished message box will appear.

Click on the OK button to close the message box and continue with the removal process.

You will now be back at the main Scanner screen. At this point you should click on the Show Results button.

A window showing all the malware that the program found will appear.

Click on the Remove Selected button to remove all the listed malware. All of the files and registry keys will be deleted and it will add them to the programs quarantine. While removing the files, Malwarebytes may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, allow it to do so. Once your PC has rebooted and you are logged in continue with the rest of the steps.

When Malwarebytes has finished removing the malware, it will open the scan log and display it in Notepad. Review the log and then close the Notepad window. You can now exit the Malwarebytes program.

File Location Notes

means that the file is located directly on your desktop. This is C:\Users\<Current User>\Desktop\ for Windows Vista/7/8 or C:\DOCUMENTS AND SETTINGS\<Current User>\Desktop\ for Windows 2000/XP.

%CommonAppData%

refers to the Application Data folder for the All Users profile. By default, this is C:\Documents and Settings\All Users\Application Data for Windows 2000/XP and C:\ProgramData\ in Windows Vista, Windows 7 and Windows 8.

%CommonStartMenu%

refers to the Windows Start Menu for the All Users. Any programs or files located in the All Users Start Menu will appear in the Start Menu for all user accounts on the computer. For Windows XP/Vista/NT/2000 and 2003 it refers to C:\Documents and Settings\All Users\Start Menu\ and for Windows Vista/7 and 8 it is C:\ProgramData\Microsoft\Windows\Start Menu\.

Note: This is a self-help guide. Dell only supports using our reinstall software to recover your PC to the way it shipped from us. Use of this guide is strictly at your own risk and Dell strongly recommends you do not edit your registry yourself.

To minimise the risk of a repeat infection, make sure that you have a real-time antivirus program running on your PC and see that it stays updated. If you don't want to spend money on a paid service, then you can install one of the free programs that are available.

In addition to installing traditional antivirus software, you might consider consider reading the guide below for some basic rules for safe surfing online.

Always double check any online accounts such as online banking, webmail, email, and social networking sites. Look for suspicious activity and change your passwords, you can't tell what info the malware might have passed on.

If you have an automatic backup for your files you will want to run virus scans on the backups to confirm that it didn't backup the infection as well. If virus scans aren't possible such as online backups, you will probably want to delete your old backups and save new versions.

Keep your software current. Make sure that you update then frequently. If you receive any messages about this and aren't sure of their validity, then always contact the company in questions support to clarify it.